How can I decrypt HTTPS messages sent from a C# HTTP Client using Wireshark?

Asked 17/5, 2017 at 21:4 Answered 22/5, 2020 at 12:37

We have a .Net 4.6.1 service that is using HttpWebRequest to send a HTTPS request to another web service. We're trying to capture the problem we're having with this request so we can send a data log to owners of the external service. We have a Wireshark trace of the request/response, but can't decrypt it. Remote service is Java, but that shouldn't matter.

We found this very informative post, but its referring HTTP through a browser. https://security.stackexchange.com/questions/35639/decrypting-tls-in-wireshark-when-using-dhe-rsa-ciphersuites/42350#42350

Is there a way we can either get the private RSA key used on our system to decode the request? This won't work for decripting the HTTPS response, correct? Will generating a SSL keylog file solve this problem? If so, can we modify our code to generate the file? Other solutions? Thanks

Nighthawk answered 17/5, 2017 at 21:4 Comment(2)

Wireshark can do it, but IIRC, you need private key of the remote server, and if protocol uses Perfect Forward Secrecy, then it won't be able to do it. – Stuffed 17/5, 2017 at 21:10

Figured as much. Could we at least decript the HTTPS request? – Nighthawk 17/5, 2017 at 21:11

I thought of a workaround solution, so long as your networking infrastructure would allow it.

Reconfigure your client app to call remote server via HTTP (instead of HTTPS)
Put a proxy and configure you client to send via proxy.
Configure proxy to forward via HTTPS (and out to the remote server)
Use Wireshark to capture request between your client and proxy.

You'll have both request and response. Request should be in more or less prestine form, response will probably have couple of extra headers (like Via:) from proxy, but shouldn't prevent your troubleshooting.

Stuffed answered 17/5, 2017 at 21:18 Comment(2)

Yeah... I guess we could do that. I don't know of a proxy that'll do that for us. I could write something, I guess. We've already changed our internal client code to log the request/response body and headers, but wanted something the client would trust more than just our homegrown logs. Hence Wireshark. Going the proxy route increases the time & effort to do this. Thanks. – Nighthawk 17/5, 2017 at 21:22

@Nighthawk If I remember correctly, Paros proxy can do it. I believe it has request rewrite rule engine, though it hasn't been maintained for awhile. Perhaps OWASP ZED can do it as well? If anything, that would make for a good post on one of the SO admin/devops sites :) Definitely don't write your own. – Stuffed 17/5, 2017 at 22:30

Turning on the system logging for the application might help. You can setup the applications config file to turn this on and write to a file. The logs will be unencrypted and they will show the request/response along with more.

Here's an example, name it [app name].exe.config and place it in the same directory as the .exe

<configuration>
    <system.diagnostics>
        <trace autoflush="true"/>
        <sources>
            <source name="System.Net" maxdatasize="10240">
                <listeners>
                    <add name="TraceFile"/>
                </listeners>
            </source>
            <source name="System.Net.Sockets" maxdatasize="10240">
                <listeners>
                    <add name="TraceFile"/>
                    <!-- 
                    Commented this out because it can cause the program to slow down when running from the command line and console output is enabled
                    <add name="consoleListener" type="System.Diagnostics.ConsoleTraceListener"/> 
                    -->
                </listeners>
            </source>
        </sources>
        <sharedListeners>
            <add name="TraceFile" type="System.Diagnostics.TextWriterTraceListener" initializeData="trace.log"/>
        </sharedListeners>
        <switches>
            <add name="System.Net" value="Verbose"/>
            <add name="System.Net.Sockets" value="Verbose"/>
        </switches>
    </system.diagnostics>
</configuration>

You might want to take out the System.Net tracing and just log System.Net.Sockets

Strunk answered 22/5, 2020 at 12:37 Comment(0)

Recommended topics

Hot tags